On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote:
I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed with --external-ca, and the resulting CSR signed with a validity period of 30 days to test behavior around expirations.
Upon booting that instance today, certmonger decided to preemptively renew every IPA cert -- which is a good thing -- but did so without waiting for renewal of the IPA CA cert first, which is less good. Now that instance has a pile of certs that expire in two weeks, since they were signed with and thus tied to the expiration of the old IPA CA cert.
This is not correct. The CA cert must be valid for the leaf cert to be valid, but the CA cert *can* be renewed without requiring leaf certificates to be reissued. So long as the following conditions are met, everything will be fine:
1. The CA's key (and Subject Key Identifier) do not change 2. The CA's Subject DN does not change 3. The new CA certificate gets distributed to clients.
Cheers, Fraser
While I'm guessing certmonger will figure this out and do the right thing within a couple weeks -- and with the expectation that this would only happen once per IPA CA renewal with a "real" deployment -- is this the intended behavior?
Logs are a bit of a mess between this and a potentially-resolved SELinux issue with certmonger, but I'll wedge them all into a proper bug report if desired.
-Rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org